Method and apparatus for enforcing network security policies

ABSTRACT

The invention is a system and method for applying a uniform network security policy. The security policy is described using a computer-readable file. The computer-readable file may be filtered and/or translated into other files that may be used as inputs to security devices. An example of one such security device is a remote system security controller, which is responsible for ensuring that remote devices outside the corporate network enforce the corporate security policy. In addition, the system is capable of updating the security policy of all network components based on feedback received from one or more devices.

FIELD

[0001] This invention pertains to network security, and moreparticularly to establishing a uniform security policy.

BACKGROUND

[0002] As computers become a more and more important part of our lives,the security of the computers becomes increasingly important. All toooften, news reports describe the vulnerability of computers in one formor another. Between hackers breaking into “secure” computers, virusalerts, and warnings about newly discovered vulnerabilities in computeroperating systems, computer security is kept in the public eye.

[0003] To help address security issues, many security devices havebecome commonplace in computer networks. Businesses have awakened to theneed for firewalls, intrusion detection systems, virus scanning softwareand logging/monitoring devices (the last item used to analyze an attackon the corporate network after the immediate threat has been addressed).And with the increasing concern about employees using business computersfor non-business tasks, employers are also using proxy servers. Proxyservers watch outgoing traffic and block inappropriate activities (suchas visits to offensive web sites or the use of software, such as Java orActiveX that should not be used).

[0004] But the way a security policy is implemented on these securitydevices is somewhat haphazard. Policy is set at the top of the corporatepyramid, and propagated downward to the persons who manage the varioussecurity devices. Each security device receives its own programming todefine the security policy as it is to be enforced by the individualsecurity device. There is no coordination between the various securitydevices to ensure that all the holes are filled. And while there arefirewalls capable of providing inputs to other firewalls (expectingdifferent inputs), these are a special case.

[0005] An additional problem arises with devices that may be takenoutside the corporate network. An employee may use a computer outsidethe network (such as a laptop computer supplied by the company, theemployee's home computer, or wireless devices, such as Personal DigitalAssistants (PDAs)) to access the corporate network from outside. Thereis currently no way for the corporate security policy to be enforcedwith respect to mobile devices. For example, although corporate policymay dictate that ActiveX be disabled in computer browsers, the user onthe remote computer may enable ActiveX with a few simple commands. Andsince the remote computer connects to the Internet without going throughthe corporate proxy server, this violation of the corporate policy maynot be detected.

[0006] A need remains for a way to addresses these and other problemsassociated with the prior art.

BRIEF DESCRIPTION OF THE DRAWINGS

[0007]FIG. 1 shows a corporate network and outside devices according toan embodiment of the invention.

[0008]FIG. 2 shows a translator translating a network-wide securitypolicy into security policies for individual security devices as shownin FIG. 1, according to an embodiment of the invention.

[0009]FIG. 3 shows details of the translator of FIG. 2, according to anembodiment of the invention.

[0010]FIG. 4 shows a portable device configured to interact with thenetwork of FIG. 1 and designed to comply with the security policy,according to an embodiment of the invention.

[0011]FIG. 5 shows a flowchart of the procedure used to establish auniform network security policy on the network of FIG. 1, according toan embodiment of the invention.

[0012] FIGS. 6A-6C show a flowchart of the procedure used to grant ordeny a request for a portable device to connect to the network of FIG.1, according to an embodiment of the invention.

[0013]FIG. 7 shows the individual security devices of FIG. 1 providingfeedback regarding the network-wide security policy, according to anembodiment of the invention.

DETAILED DESCRIPTION

[0014]FIG. 1 shows a corporate network (also called an intranet, meaninga network within (or intra) the business) and outside devices accordingto an embodiment of the invention. In FIG. 1, a corporate network isshown, along with an external network, such as the Internet. Within thecorporate network, workstations 105 represent computers used byemployees. Although shown as desktop computer models, a person skilledin the art will recognize that workstations 105 may be any type ofpersonal computer, including but not limited to desktop computers,laptop computers, wireless devices, and so on. Note that for wirelessdevices or laptop computers to be connected to the corporate network,they must be connected to an access point, such as a network port orwireless connection point internal to the company.

[0015] Workstations 105 connect to internal server 110. Internal server110 stores information available within the corporate network. Forexample, internal server 110 may store corporate web sites not availableto the general public via the Internet, or corporate data. A personskilled in the art will recognize other types of data that may be storedon internal server 110.

[0016] To access data outside the corporate network, users atworkstations 105 connect to proxy server 115, which in turn connectswith network 125. Proxy server 115 is responsible for determining thatdata requests are appropriate for devices within the corporate network.For example, proxy server 115 may block a request to access a web sitewith inappropriate content. Or proxy server 115 may determine thatworkstation 105 is set to use ActiveX, contrary to corporate policy, andto block the ActiveX objects on the web site from running. A personskilled in the art will recognize other functions that proxy server 115may perform.

[0017] One function that proxy server 115 may perform is loggingcommunications between workstations 105 and sites outside the corporatenetwork. The log may then be used to review corporate workstation use,to determine if any of the corporate workstations have been used forpurposes outside the scope of an employee's duties. Logging/monitoringdevice 120 is responsible for logging the communications.Logging/monitoring device 120 may be implemented as software withinproxy server 115, or it may be a separate component of the corporatenetwork security system.

[0018] Protecting the corporate network from outside attack are firewall130 and intrusion detection system 135. Firewall 130 is responsible forfiltering data requests coming from outside the corporate network.Intrusion detection system 135 is responsible for monitoring thecorporate network for probes by hackers, and for stopping attacks ifpossible.

[0019] Opening a door in the corporate security policy for legitimateusers, server 140 is responsible for receiving incoming requests forcommunication. Server 140 may receive requests for communication via adirect dial-up (i.e., a direct telephone line connects to server 140,which legitimate users may dial to directly connect to the corporatenetwork). Server 140 may also be configured to process requests to opena Virtual Private Network (VPN) between the corporate network and adevice connected to network 120. A person skilled in the art willrecognize other ways in which server 140 may be configured to permitlegitimate communication with the corporate network. For example, server140 may be configured to process wireless communications from outsidethe corporate network.

[0020] Assisting server 140 in enforcing corporate security policy isremote system security controller (RSSC) 145. RSSC 145 is responsiblefor determining that outside devices granted access to the corporatenetwork are properly configured to enforce the corporate securitypolicy. The operation of RSSC 145 will be discussed further withreference to FIG. 4, below.

[0021] When a device outside the corporate network wants to access datawithin the corporate network, server 140 receives the request for aconnection. In FIG. 1, notebook computer 150 and wireless device 155 areeach shown requesting a connection from server 140, although indifferent ways. Notebook computer 150 is shown requesting a connectiondirectly from server 140, whereas wireless device 155 is shownrequesting a VPN through network 120. But a person skilled in the artthat other types of connections may be used, and that devices other thana notebook computer or wireless device may be used to request aconnection with server 140.

[0022] Once server 140 has received the request, server 140 mayauthenticate the request. This typically involves receiving from theuser a log in identification and password, but a person skilled in theart will recognize other ways in which authentication may be performed.Authentication may also be skipped, if desired. If the user requestingthe connection is unable to authenticate himself, server 140 denies theconnection request without further ado.

[0023] If the user is authenticated, then server 140 interrogates theremote device to determine if the remote device includes the remotesystem security agent (RSSA). The RSSA is responsible for configuringthe security of the remote device, and works in coordination with RSSC145. If the RSSA is not present, then server 140 denies the connectionrequest. Otherwise, server 140 passes control to RSSC 145 to ensure thatthe remote device is properly configured to maintain the security of thecorporate network, according to the established security policy.

[0024] Although FIG. 1 shows the corporate network as including most ofthe security elements (that is, proxy server 115, firewall 130,intrusion detection system 135, server 140 for outside connections, andRSSC 145), a person skilled in the art will recognize that, depending onthe corporate security policy, one or more of these components may beomitted. For example, if the corporate network is not concerned aboutoutside attack, firewall 130 and/or intrusion detection system 135 maybe omitted from the corporate network.

[0025]FIG. 2 shows a translator translating a network-wide securitypolicy into security policies for individual security devices as shownin FIG. 1, according to an embodiment of the invention. In FIG. 2,policy database 205 is a computer-readable file (that is, a fileaccessible by a machine) that defines the security policy for the entirecorporate network. Security policy usually begins as an English- (orother-) language policy stated informally by a person with theappropriate level of authority in the company. The policy is thentranslated into policy database 205, which defines the policyelectronically. Note that policy database 205 is a network-wide securitypolicy, and is not specific to any particular security device. In oneembodiment, policy database 205 is defined in a language that is neutralrelative to the various security devices, such as eXtensible MarkupLanguage (XML).

[0026] Once defined, policy database 205 may include securitydefinitions that apply to many security devices. It is the job oftranslator/filter 210 to separate policy database 205 into separatefiles for each individual security device in the corporate network.Translator/filter 210 scans policy database 205 and eliminates anyentries not pertinent to the particular security device. This is alsodiscussed further with reference to FIG. 3 below.

[0027] Translator/filter 210 may also translate from the language inwhich policy database 205 is stored into a language understood by theindividual security devices. The individual security devices mayunderstand languages with different semantics and syntaxes.Translator/filter 210 is designed to “speak” the language of theindividual security devices and to translate policy database 205 intothe various languages.

[0028] For example, translator/filter 210 is shown in FIG. 2 translatingpolicy database 205 into policy files 215, 220, 225, 230, and 235, forRSSC 145, logging/monitoring device 125, firewall 130, intrusiondetection system 135, and proxy server 115, respectively. Policy files215, 220, 225, 230, and 235 may be used as inputs to the varioussecurity devices to define the settings of the various security devices,thereby implementing the network-wide security policy.

[0029]FIG. 3 shows details of the translator of FIG. 2, according to anembodiment of the invention. In FIG. 3, a portion of policy database 205is shown in detail. Policy database 205 includes two sites to which theproxy server is to block access, and two port settings on which thefirewall is to block incoming communication requests. Since the firewalldoes not need to know about sites employees are not supposed to visit,and the proxy server does not need to know about ports on whichcommunications requests are to be ignored, policy database 205 includessettings not applicable to both devices. Translator/filter 210 separatesthe settings into the respective policy files, including in each policyfile only the settings pertinent to the respective security device.

[0030] Notice also that in FIG. 3, the syntax of policy files 225 and235 are different from each other and from that of policy database 205.Translator 210 is responsible for translating the settings in policydatabase 205 into the native language understood by the various securitydevices, so that the security devices may understand the inputs.

[0031]FIG. 4 shows a portable device configured to interact with thenetwork of FIG. 1 and designed to comply with the security policy,according to an embodiment of the invention. In FIG. 4, remote device150 is shown as a notebook computer, but a person skilled in the artwill recognize that any type of device capable of interacting with thecorporate network may be used. For example, wireless device 155 fromFIG. 1 may be substituted for notebook computer 150 in FIG. 4.

[0032] In FIG. 4, remote device 150 includes remote system securityagent (RSSA) 405. RSSA 405 manages the security tools used by the remotedevice 150 and implements the corporate security policy in coordinationwith RSSC 145. Specifically, RSSA 405 configures the security tools usedby remote device 150 to bring remote device 150 in compliance with thecorporate security policy.

[0033] As shown in FIG. 4, remote device 150 may include three securitytools: application monitor/session logging tool 410, intrusion detectionsystem 415, and firewall 420. These are usually the software analogs toproxy server 115, intrusion detection system 135, and firewall 130 ofFIG. 1, but a person skilled in the art will recognize that these toolsmay be implemented in hardware as well. As discussed above withreference to FIG. 1, when remote device 150 attempts to connect to thecorporate network, server 140 authenticates the user and determines thatremote device 150 includes RSSA 405. Once remote device 150 has beenverified as having the required elements, server 140 hands control offto RSSC 145. RSSC 145 then verifies whether remote device 150 is incompliance with the corporate security policy, and if not, whetherremote device 150 may be brought into compliance.

[0034] RSSC 145 begins by interrogating remote device 150 for thesecurity tools installed in remote device 150, as shown by arrow 425.The remote device responds with the list of installed security tools, asshown by arrow 430. This exchange serves two purposes. First, it enablesRSSC 145 to know whether remote device 150 has the necessary tools tocomply with the corporate security policy. Second, it lets RSSC 145 knowthe “language” of the tools used by remote device 150 to enforcesecurity, so that RSSC 145 may translate the security settings into alanguage understood by the tools.

[0035] If remote device 150 lacks a required security tool (for example,if remote device 150 does not have firewall 420 installed), RSSC 145 maydeny the connection request. Otherwise, RSSC 145 may send updates to theinstalled tools, as shown by arrow 435. To accomplish this, RSSC 145includes translator/filter 440. Translator/filter 440 operates verysimilarly to translator/filter 205 of FIGS. 2 and 3, except that thetarget “languages” of the translated/filtered policy files are those ofsecurity tools 410, 415, and 420. Once the policy files are installed,remote device 150 is in compliance with the corporate security policy,and may be permitted to access data on the corporate network.

[0036] As shown, FIG. 4 describes applying the corporate security policyto the security tools on remote device 150 without first determining ifthe security tools comply with the policy. A person skilled in the artwill recognize that RSSC 145 may interrogate remote device 150 todetermine the current settings for the various security tools, and onlytransmit the necessary updates (if any) in policy files in arrow 435.For this reason, the transmission of the policy updates in arrow 435 isshown with a dashed line.

[0037]FIG. 5 shows a flowchart of the procedure used to establish auniform network security policy on the network of FIG. 1, according toan embodiment of the invention. In FIG. 5, at block 505, a network-widecorporate security policy is defined. This is the corporate securitypolicy as defined in “English” by the appropriate corporate personnel.At block 510, the corporate security policy is translated into acomputer-readable file. At block 515, for each security device, thecomputer-readable file is filtered so that only the policy statementsappropriate for the security device are considered. At block 520, thefiltered files are translated into languages understood by the securitydevices. Note that if the computer-readable file produced at block 510is in the same “language” as that understood by any or all of thesecurity devices, then translation may not be necessary, and block 520may be omitted. Finally, at block 525, the translated/filtered policyfile is applied to the security devices.

[0038] FIGS. 6A-6C show a flowchart of the procedure used to grant ordeny a request for a portable device to connect to the network of FIG.1, according to an embodiment of the invention. In FIG. 6A, at block605, the server designated for processing requests to connect to thecorporate network from outside (in FIG. 1, server 140) receives arequest for a connection. (Implicit in FIG. 6 is the authentication ofthe user of the requesting device.) At block 610, the server queries therequesting device to see it has the RSSA. At decision point 615, theserver decides what to do after querying the device for the RSSA.Assuming the device has the RSSA, then at block 620 (FIG. 6B), the RSSCqueries the requesting device to determine what security tools areinstalled. At decision point 625, the RSSC determines if the requestingdevice has sufficient security tools to enforce the corporate securitypolicy. If the requesting device does not have the necessary securitytools (or if the requesting device did not have the RSSA at decisionpoint 615 in FIG. 6A), then at block 630 the request for a connection isdenied. Otherwise, at decision point 635 the RSSC determines if thesecurity tools are up-to-date in enforcing the corporate securitypolicy. If the security tools are not up-to-date, then at block 640(FIG. 6C), the RSSC filters the policy file for the various securitytools on the remote device, and (if necessary) translates the filteredpolicy files into “languages” understood by the various security toolsat block 645. At block 650, the translated/filtered policy files areapplied to the security tools. Finally, at block 655, the request for aconnection is granted. (Block 655 is also executed if the RSSCdetermined the security tools to be up-to-date at decision point 635 inFIG. 6B.)

[0039] As discussed above with reference to FIG. 4, the RSSC may applythe security policy without bothering to determine if the security toolson the remote device currently enforce the policy. That is, the RSSCmight assume that the security tools on the remote device do not supportthe corporate security policy. In that case, decision point 635 may beomitted and control passed directly from block 630 to 640.

[0040] One benefit of centralized policy control is the capability toupdate the policy database based on feedback from the various devicesenforcing the policy. FIG. 7 illustrates this advantage. In FIG. 7, theindividual security devices are shown issuing security alerts 705. Theseare received by alert monitor 710, part of centralized security manager715. Upon receiving security alerts 705, centralized security manager715 can determine if the policy database needs updating. If so,centralized security manager 715 can send policy update 720 to policydatabase 205, which can then be translated and filtered for the variousindividual security devices.

[0041] Although the term “security alert” suggests that the individualdevices only provide feedback when someone is attempting to circumventthe policy, a person skilled in the art will recognize that theindividual devices can issue any type of feedback to centralizedsecurity manager 715. For example, an individual security device mightreceive an update from an external site regarding the generalprogramming of the individual security device, which might impact thenetwork policy.

[0042] A person skilled in the art will recognize that an embodiment ofthe invention described above may be implemented using a computer. Inthat case, the method is embodied as instructions that comprise aprogram. The program may be stored on computer-readable media, such asfloppy disks, optical disks (such as compact discs), or fixed disks(such as hard drives). The program may then be executed on a computer toimplement the method. A person skilled in the art will also recognizethat an embodiment of the invention described above may include acomputer-readable modulated carrier signal.

[0043] Having illustrated and described the principles of the inventionin an embodiment thereof, it should be readily apparent to those skilledin the art that the invention may be modified in arrangement and detailwithout departing from such principles. All modifications coming withinthe spirit and scope of the accompanying claims are claimed.

1. A system for establishing a security policy for a network,comprising: a network; a first machine-accessible file representing anetwork-wide security policy on the network; first and second securitytools connected to the network; and a translator operative to translatethe first machine-accessible file into second and thirdmachine-accessible files for the first and second security tools,respectively.
 2. A system according to claim 1, wherein the first andsecond security tools are drawn from a set including a proxy server, afirewall, a intrusion detection system, a logging/monitoring device, anda remote system security controller.
 3. A system according to claim 1,wherein the translator includes a filter operative to filter a firstentry in the first machine-accessible file from the secondmachine-accessible file, and to filter a second entry in the firstmachine-accessible file from the third machine-accessible file.
 4. Asystem according to claim 1, further comprising a centralized securitymanager.
 5. A system according to claim 4, wherein: the system furthercomprises a feedback issued by at least one of the first and secondsecurity tools; and the centralized security manager is operative toupdate the first machine-accessible file responsive to the feedback. 6.A system for establishing a security policy for a network, comprising: anetwork; a first machine-accessible file representing a network-widesecurity policy on the network; a proxy server connected to the network;a firewall connected to the network; an intrusion detection systemconnected to the network; and a translator operative to translate thefirst machine-accessible file into second, third, and fourthmachine-accessible files for the proxy server, firewall, and instructiondetection system, respectively.
 7. A system according to claim 6,wherein: the system further comprises a remote system securitycontroller; and the translator is operative to translate the firstmachine-accessible file into a fifth machine-accessible file for theremote system security controller.
 8. A system according to claim 6,wherein: the system further comprises a logging/monitoring device; andthe translator is operative to translate the first machine-accessiblefile into a sixth machine-accessible file for the logging/monitoringdevice.
 9. An apparatus for establishing a security policy for anetwork, comprising: a first machine-accessible file representing anetwork-wide security policy on the network; a translator operative totranslate the first machine-accessible file into second and thirdmachine-accessible files for use with first and second security tools,respectively; and a machine operative to access the firstmachine-accessible file, to use the translator to produce the second andthird machine-accessible files, and to use the second and thirdmachine-accessible files to operate the first and second security tools.10. An apparatus according to claim 9, wherein the translator includes afilter operative to filter a first entry in the first machine-accessiblefile from the second machine-accessible file, and to filter a secondentry in the first machine-accessible file from the thirdmachine-accessible file.
 11. An apparatus according to claim 9, furthercomprising: a feedback issued by at least one of the first and secondsecurity tools; and a centralized security manager, operative to updatethe first machine-accessible file responsive to the feedback.
 12. Amethod for enforcing security policy on a network, comprising:generating a first machine-accessible file representing a network-widesecurity policy on a network; translating the first machine-accessiblefile into second and third machine-accessible files for first and secondsecurity tools, respectively; and applying the second and thirdmachine-accessible files to the first and second security tools.
 13. Amethod according to claim 12, wherein translating the firstmachine-accessible file includes filtering an entry in the firstmachine-accessible file from the second machine-accessible file.
 14. Amethod according to claim 12, wherein translating the firstmachine-accessible file includes translating the firstmachine-accessible file from a first language to a second languagerecognizable to the first security tool.
 15. A method according to claim12, wherein applying the second and third machine-accessible filesincludes applying the second and third machine-accessible files to thefirst and second security tools drawn from a set including a proxyserver, a firewall, an intrusion detection system, and alogging/monitoring device.
 16. A method according to claim 12, furthercomprising: receiving a feedback from at least one of the first andsecond security tools; and updating the first machine-accessible fileresponsive to the feedback.
 17. A method according to claim 12, whereinapplying the second and third machine-accessible files includes applyingthe second machine-accessible file to a remote system securitycontroller.
 18. A method according to claim 17, the method furthercomprising: receiving a request for a connection to the network from adevice; determining if the device includes a tool to enforce thesecurity policy; and granting the request for the connection to thenetwork if the device includes the tool to enforce the security policy.19. A method according to claim 18, the method further comprisingdenying the request for the connection to the network if the devicelacks the tool to enforce the security policy.
 20. A method according toclaim 18, wherein receiving a request includes receiving the request fora wireless connection to the network from the device.
 21. A methodaccording to claim 18, wherein determining if the device includes a toolincludes determining by the remote system security controller if thedevice includes at least an application monitoring tool, an intrusiondetection tool, and a firewall tool.
 22. A method according to claim 21,wherein determining if the device includes a tool further includesdetermining by the remote system security controller if the deviceincludes a session logging tool.
 23. A method according to claim 18, themethod further comprising: translating by the remote system securitycontroller the second machine-accessible file into a fourthmachine-accessible file for the tool on the device; transmitting thefourth machine-accessible file to the device; and applying the fourthmachine-accessible file to the tool on the device.
 24. A methodaccording to claim 23, wherein applying the fourth machine-accessiblefile includes changing a setting in the tool on the device.
 25. Anarticle comprising a machine-accessible medium having associated datathat, when accessed, results in a machine: generating a firstmachine-accessible file representing a network-wide security policy on anetwork; translating the first machine-accessible file into second andthird machine-accessible files for first and second security tools,respectively; and applying the second and third machine-accessible filesto the first and second security tools.
 26. An article according toclaim 25, wherein the associated data for translating the firstmachine-accessible file includes associated data for filtering an entryin the first machine-accessible file from the second machine-accessiblefile.
 27. An article according to claim 25, wherein the associated datafor translating the first machine-accessible file includes associateddata for translating the first machine-accessible file from a firstlanguage to a second language recognizable to the first security tool.28. An article according to claim 25, wherein the associated data forapplying the second and third machine-accessible files includesassociated data for applying the second and third machine-accessiblefiles to the first and second security tools drawn from a set includinga proxy server, a firewall, an intrusion detection system, and alogging/monitoring device.
 29. An article according to claim 25, themachine-accessible medium having further associated data that, whenaccessed, results in the machine: receiving a feedback from at least oneof the first and second security tools; and updating the firstmachine-accessible file responsive to the feedback.
 30. An articleaccording to claim 25, wherein the associated data for applying thesecond and third machine-accessible files includes associated data forapplying the second machine-accessible file to a remote system securitycontroller.
 31. An article according to claim 30, the machine-accessiblemedium having further associated data that, when accessed, results inthe machine: receiving a request for a connection to the network from adevice; determining if the device includes a tool to enforce thesecurity policy; and granting the request for the connection to thenetwork if the device includes the tool to enforce the security policy.32. An article according to claim 31, the machine-accessible mediumhaving further associated data that, when accessed, results in themachine denying the request for the connection to the network if thedevice lacks the tool to enforce the security policy.
 33. An articleaccording to claim 31, wherein the associated data for receiving arequest includes associated data for receiving the request for awireless connection to the network from the device.
 34. An articleaccording to claim 31, wherein the associated data for determining ifthe device includes a tool includes associated data for determining bythe remote system security controller if the device includes at least anapplication monitoring tool, an intrusion detection tool, and a firewalltool.
 35. An article according to claim 34, wherein the associated datafor determining if the device includes a tool further includesassociated data for determining by the remote system security controllerif the device includes a session logging tool.
 36. An article accordingto claim 31, the machine-accessible medium having further associateddata that, when accessed, results in the machine: translating by theremote system security controller the second machine-accessible fileinto a fourth machine-accessible file for the tool on the device;transmitting the fourth machine-accessible file to the device; andapplying the fourth machine-accessible file to the tool on the device.37. An article according to claim 36, wherein the associated data forapplying the fourth machine-accessible file includes the associated datafor changing a setting in the tool on the device.